DNS
Although AppJail does not include a DNS server, it includes some useful scripts for using your favorite DNS server. We just need to enable and start our DNS server and the appjail-dns
RC script.
AppJail comes with a configuration file for dns/dnsmasq
, so we will use it for these examples.
sysrc appjail_dns_enable="YES"
sysrc dnsmasq_enable="YES"
sysrc dnsmasq_conf="/usr/local/share/appjail/files/dnsmasq.conf"
touch /var/tmp/appjail-hosts
service dnsmasq start
service appjail-dns start
Tip
Instead of using the host IP, we can use if_tap(4)
. This is because if our
IP address is not static, we can have problems.
sysrc cloned_interfaces="tap0"
sysrc ifconfig_tap0_name="ajdns"
sysrc ifconfig_ajdns="inet 172.0.0.1/32"
service netif cloneup
service netif start ajdns
Note
This document assumes the above configuration.
Using a custom resolv.conf(5) file (recommended)
We now have our DNS server up and running, so we just need to tell the new jails to point to that server. This can be accomplished by simply editing /etc/resolv.conf
on the host but this has some problems which are described in the next section. Another much simpler way is to set DEFAULT_RESOLV_CONF
to a custom resolv.conf(5)
file in our AppJail configuration file.
/usr/local/etc/appjail/appjail.conf
DEFAULT_RESOLV_CONF=/usr/local/etc/appjail/resolv.conf
/usr/local/etc/appjail/resolv.conf:
nameserver 172.0.0.1
Using /etc/resolv.conf as our resolv.conf(5) file
We need to modify /etc/resolv.conf
, however we cannot simply edit this file as resolvconf(5)
will modify it losing all the changes we have made.
/etc/resolvconf.conf:
name_servers="172.0.0.1"
It is not enough to modify resolvconf(5)
, we need to modify dhclient.conf(5)
to force the use of our DNS server.
/etc/dhclient.conf:
supersede domain-name-servers 172.0.0.1;
And run:
# resolvconf -u
# cat /etc/resolv.conf
# Generated by resolvconf
nameserver 172.0.0.1
Changing /etc/resolv.conf of existing jails
If we already have some jails with an existing /etc/resolv.conf
pointing to a different server, this is very easy to fix.
appjail cmd all local cp $resolv_conf etc/resolv.conf
Warning
$resolv_conf
is only a shell variable, set it to a correct file before executing this command.
Example
appjail cmd all local cp /usr/local/etc/appjail/resolv.conf etc/resolv.conf
Testing our DNS configuration
We can now communicate with the jail using the host name instead of the IP address.
# appjail jail list -j python
STATUS NAME TYPE VERSION PORTS NETWORK_IP4
UP python thin 13.2-RELEASE - 10.42.0.4
# ping -c4 python.development.appjail
PING python.development.appjail (10.42.0.4): 56 data bytes
64 bytes from 10.42.0.4: icmp_seq=0 ttl=64 time=0.275 ms
64 bytes from 10.42.0.4: icmp_seq=1 ttl=64 time=0.212 ms
64 bytes from 10.42.0.4: icmp_seq=2 ttl=64 time=0.207 ms
64 bytes from 10.42.0.4: icmp_seq=3 ttl=64 time=0.216 ms
--- python.development.appjail ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.207/0.228/0.275/0.028 ms
Using shorter domain names
If you prefer a much shorter name than the one used above, you can set SHORTEN_DOMAIN_NAMES
to 1
in your AppJail configuration file.
# ping -c4 redis
PING redis (10.42.0.16): 56 data bytes
64 bytes from 10.42.0.16: icmp_seq=0 ttl=64 time=0.244 ms
64 bytes from 10.42.0.16: icmp_seq=1 ttl=64 time=0.154 ms
64 bytes from 10.42.0.16: icmp_seq=2 ttl=64 time=0.216 ms
64 bytes from 10.42.0.16: icmp_seq=3 ttl=64 time=0.189 ms
--- redis ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.154/0.201/0.244/0.033 ms
Info
Use NETWORK_TO_SHORTEN
defined in your AppJail configuration file to choose which network name to shorten.
When the above feature is enabled, you can use either the short or the long name. The network domain names are kept intact, so if you need to get the IP of the network you must use its long name, e.g. ajnet.appjail
, so you cannot just use ajnet
.